Close to Optimally Secure Variants of GCM

The Galois/Counter Mode of operation (GCM) is a widely used nonce-based authenticated encryption with associated data mode which provides the birthday-bound security in the nonce-respecting scenario; that is, it is secure up to about 2 adversarial queries if all nonces used in the encryption oracle are never repeated, where n is the block size. It is an open problem to analyze whether GCM security can be improved by using some simple operations. This paper presents a positive response for this problem. Firstly, we introduce two close to optimally secure pseudorandom functions and derive their security bound by the hybrid technique.Then, we utilize these pseudorandom functions that we design and a universal hash function to construct two improved versions of GCM, called OGCM-1 and OGCM-2. OGCM-1 and OGCM-2 are, respectively, provably secure up to approximately 2/67(n − 1) and 2/67 adversarial queries in the nonce-respecting scenario if the underlying block cipher is a secure pseudorandom permutation. Finally, we discuss the properties of OGCM-1 and OGCM-2 and describe the future works.

Birthday-Bound Security and Beyond-Birthday-Bound Security.Most AE modes, such as [6,7,9,20,21,26], just offer birthday-bound security; that is, they are secure up to roughly 2 /2 adversarial queries, where  is the block size.
The currently utilized block cipher is AES (the block size  = 128).If AES is used in the block cipher modes of operation, 128-bit security degrades into at most about 64-bit security, which is unacceptable in some special environments.Therefore, it is vitally important to design AE modes that ensure beyond-birthday-bound (BBB) security.The so-called BBB security means that an AE mode is provably secure up to approximately 2 /(+1) adversarial queries, where  ≥ 2 is an integer.If an AE mode is provably secure up to roughly 2  adversarial queries, we say that it provides optimal security.In order to achieve a stronger security (BBB security or optimal security), AE modes usually compromise the efficiency of the hardware and software implementation.For example, we often utilize multiple block ciphers or their sum to construct a BBB-secure pseudorandom function.The higher the number of invoking the underlying block cipher, the greater the cost.Therefore, the efficiency of BBB-secure AE modes is generally low.In recent years, AE modes that ensure BBB security appeared endless, such as [10-12, 22-24, 30-32].
Problem Statement.The Galois/Counter Mode of operation (GCM) [33] designed by McGrew and Viega is a noncebased AEAD scheme.GCM combines the counter mode used in the encryption part and the polynomial hash function used in the authentication part and is included in the block cipher AE modes of operation recommended by NIST.Its security depends on the nonce-respecting setting that all nonces used in the encryption queries are distinct.Iwata et al. [34] pointed out that the previous claimed security was flawed and presented a new provable security, which was later improved by Niwa et al. [35].GCM retains birthdaybound security and has better security bounds for 96-bit nonces.For the attacks of GCM, Saarinen showed weak keys of GHASH and the cycling attacks on GCM in [36].Other researches related to GCM include [37][38][39][40][41][42][43][44].GCM has been widely applied in the IEEE 802.1AEEthernet security, IEEE 802.11ad,IETF IPsec standards, SSH, TLS, and so on.GCM is proven to be secure up to roughly 2 /2 adversarial queries in the nonce-respecting scenario, assuming that the underlying block cipher is a secure pseudorandom permutation.In other words, for AES-GCM, its security guarantee is lost after at most only 2 64 adversarial queries, which is not sufficiently secure in some special settings.Therefore, in this paper, we consider the question of whether we can design a scheme that provides better security (such as BBB security or optimal security) to improve the security guarantee of GCM.
Our Contributions.This paper gives a positive response for the above question.We first introduce a basic tool: close to optimally secure pseudorandom functions (PRFs) which are, respectively, designed by the Encrypted Davies-Meyer (EDM) [45] and EDM Dual (EDMD) [46] constructions.Then we construct two improved versions of GCM, called OGCM-1 and OGCM-2, which are parallelizable noncebased close to optimally secure AEAD modes.OGCM-1 and OGCM-2 are, respectively, provably secure up to approximately 2  /67( − 1) 2 and 2  /67 adversarial queries in the nonce-respecting scenario if the underlying block cipher is a secure pseudorandom permutation (PRP).In fact, they are based on the "Encryption-then-MAC" approach, where the encryption part utilizes a multi-EDM or multi-EDMD function to set up a close to optimally secure key-stream generator and then the MAC part combines an EDM or EDMD construction and an almost-XOR-universal (AXU) hash function to generate an authentication tag.
OGCM-1 and OGCM-2 balance the security and the efficiency of the software and hardware implementation.Take AES-OGCM-1 or AES-OGCM-2 as an example; that is, the underlying block cipher is instantiated with AES.First, from the point of view of security, they achieve at most about 107.9565-bit or 121.9339-bit security which is better than that of AES-GCM (at most about 64-bit security).In the noncerespecting scenario, they can encrypt at most 2 96 plaintexts (as the nonce length is 96 bits) and the maximum block length of each plaintext is about 2 32 blocks (64 GBytes).Second, from the point of view of efficiency, they invoke 2 + 2 block ciphers and  +  + 1 finite-field multiplications, where  is the number of the plaintext blocks and  is the number of the associated data blocks.Compared with AES-GCM, the efficiency is about half of it.Therefore, AES-OGCM-1 and AES-OGCM-2 sacrifice the efficiency of the software and hardware implementation to achieve a strong security.The comparisons among AES-GCM, AES-OGCM-1, and AES-OGCM-2 are shown in Table 1.
Organizations of This Paper.Some preliminaries are presented in Section 2. A basic tool is provided in Section 3. OGCM-1 is described in Section 4. Security results of OGCM-1 are derived in Section 5. OGCM-2 and its security are shown in Section 6. Section 7 describes some discussions and future works.Finally, we end up with a conclusion in Section 8.

Preliminaries
Notations.Let {0, 1} * be the set containing all finite strings (including an empty string ).For a finite string  ∈ {0, 1} an -bit permutation and its inverse is written as   =  −1  .Let Perm() be a set of all -bit permutations.Suppose that A is an adversary which has access to an encryption oracle.
Let  $ ←  K  and  $ ←  Perm(); then the PRP-advantage of A against  is defined as where the probabilities are taken over the random choices of  and  and also over internal coins of A, if any.If Adv prp  (A) is negligible, the underlying block cipher   is a secure pseudorandom permutation (PRP).
A keyed function is a mapping  : K  ×{0, 1}  → {0, 1}  , which takes a key  ∈ K  and a plaintext  ∈ {0, 1}  as input and returns a ciphertext  ∈ {0, 1}  .For any fixed  ∈ K  ,   : {0, 1}  → {0, 1}  is a function from {0, 1}  to {0, 1}  .Let Func(, ) be a set of all functions from {0, 1}  to {0, 1}  .If  = , we write Func().Suppose that A is an adversary which has access to an encryption oracle.Let  $ ←  K  and  $ ←  Func(, ); then the PRF-advantage of A against  is defined as where the probabilities are taken over the random choices of  and  and also over internal coins of A, if any.If Adv prf  (A) is negligible, the underlying keyed function   is a secure pseudorandom function (PRF).
If the resources owned by all adversaries are at most , the maximum advantage is defined as Adv() = max A Adv(A), where  includes the running time , the total number of oracle queries , the maximum block length , and the total number of blocks in all queries (query complexity) .
Universal Hash Functions.Let  ≥ 1; a keyed hash function  : K ℎ × D → {0, 1}  is a mapping which takes a key  ℎ ∈ K ℎ and a message  ∈ D as input and returns an output  ∈ {0, 1}  .We say  is an (, )-almost-XORuniversal ((, )-AXU) hash function, if, for any  ∈ D and Finite Field.Given a basis, the finite field GF(2  ) can be seen as the set {0, 1}  .For an -bit string Hence, any integer between 0 and 2  − 1 can also be viewed as a polynomial with binary coefficients of degree at most  − 1.For example, 2 corresponds to , 3 corresponds to +1, and 7 corresponds to  2 ++1.The addition in the field GF(2  ) is the addition of polynomials over GF (2).We denote this operation by bitwise XOR, that is,  ⊕ , where ,  ∈ GF(2  ).In order to define the multiplication operation over GF(2  ), we need to introduce an irreducible polynomial () of degree  over GF (2).For  = 128, () =  128 +  7 +  2 +  + 1.The multiplication of two elements  ∈ GF(2  ) and  ∈ GF(2  ) is defined as the corresponding polynomial multiplication over GF(2) reduced modulo (), that is ()() mod ().Authenticated Encryption.A conventional nonce-based authenticated encryption with associated data (AEAD) scheme Π consists of an encryption algorithm E : where

Basic Tool: Close to Optimally Secure PRFs
In this section, we set up a new function  1 which is constructed from the EDM construction [45].
We have the following theorem for information-theoretic security of the function  1 .

Theorem 1.
Let A be an adversary with access to the function  1 .Let  ≥ 2 be any threshold.Assuming that A makes at most  ≤ 2  /(67 2 ) oracle queries, generating at most  =  blocks, then the PRF-advantage of A against  1 is upper-bounded by The result of Theorem 1 shows that  1 constructed by  1 and  2 achieves BBB security.If  = 2 and  ≤ 2 −8 , then the PRF-advantage of A against  1 is upper-bounded by 1.5 3/2 /2  , which means that  1 is a provably BBB-secure PRF up to approximately 2 2/3 adversarial queries.If  = −1 and  ≤ 2  /67( − 1) 2 , then the PRF-advantage of A against  1 is upper-bounded by /2  , which means that  1 is a close to optimally secure PRF up to approximately 2  /67( − 1) 2 adversarial queries.
The proof of Theorem 1 utilizes the hybrid technique.The security of the function  1 can be reduced to the security of the EDM construction [46] which utilizes Patarin's mirror theory.

Security and Communication Networks
Proof.Let  $ ←  Func(, ) and  $ ←  Func(, ); then the PRFadvantage of A against the function  1 is shown as follows: Let  : {0, 1}  → {0, 1}  be a reduced EDM construction obtained by fixing  −  bits.Let B be an adversary which has access to the reduced EDM function  or the random function  and makes   queries for the th .According to the security of the EDM construction, if  ≤ 2  /67 2 and  ≥ 2, we have We construct a hybrid function where the inequality is obtained by ∑    = .The proof is finished.

Multi-EDM-Dual (Multi-EDMD
) Function  2 .In this section, we set up another new function  2 which is constructed from the EDMD construction [46].Assuming that  1 and  2 are two independent and random permutations on -bit, we define a function  2 : {0, 1}  → {0, 1}  as  2 () = ( 1 ,  2 , . . .,   ), where We have the following theorem for information-theoretic security of the function  2 .Theorem 2. Let A be an adversary with access to the function  2 .Assuming that A makes at most  ≤ 2  /67 oracle queries, generating at most  =  blocks, then the PRF-advantage of A against  2 is upper-bounded by The proof of Theorem 2 is similar to that of Theorem 1.Therefore, here we omit it.
The result of Theorem 2 shows that  2 constructed by  1 and  2 is a provably secure PRF up to approximately 2  /67 adversarial queries; that is,  2 achieves close to optimal security.This is consistent with the views of Mennink and Neves [48].

OGCM-1: Close to Optimally Secure Variant of GCM
In this section, we utilize the close to optimally secure PRF  1 to build an improved variant of GCM, called OGCM-1.OGCM-1 achieves close to optimal security in the nonce-respecting scenario assuming that the underlying block cipher is a secure PRP.OGCM-1 is a two-pass nonce-based AEAD scheme employing the "Encryptionthen-MAC" approach, where the encryption part utilizes the close to optimally secure PRF  1 to set up a streamcipher encryption mode and the MAC part combines an AXU hash function and the EDM construction to generate an authentication tag.
Here ⊥ always returns a failure of the decryption oracle.
Privacy.Let $(⋅, ⋅, ⋅) be a random oracle that takes (, , ) as input and returns a random string of length || + ||.Let A be an adversary which has access to an oracle (either the encryption oracle E  (⋅, ⋅, ⋅) or the random oracle $(⋅, ⋅, ⋅)) and returns  ∈ {0, 1}.We say that A is a nonce-respecting adversary if all nonces  1 , . . .,   are always distinct for all Input: three keys ( 1 ,  2 ,  ℎ ), a nonce , an associated data , and a plaintext  Output: a ciphertext  and a tag The encryption algorithm of OGCM-1.

Main Results and Security Proofs.
Assuming that the underlying block cipher  is a secure PRP, OGCM-1 achieves close to optimal security in the information-theoretic setting.Detailedly speaking, the privacy and authenticity of OGCM-1 are provably secure up to  ≃ 2  /67( − 1) 2 adversarial queries in the nonce-respecting scenario if the underlying block cipher is a secure PRP.First, we present the privacy of OGCM-1 as follows.
Theorem 3 (privacy of OGCM-1).Let  : K  × {0, 1}  → {0, 1}  be a block cipher and  : K ℎ × {0, 1} * × {0, 1} * → Input: a hash key  ℎ , an associated data , and a ciphertext  Output: a hash value   ←  ‖ 0 {0, 1}  be an -AXU hash function, where K  and K ℎ are two nonempty sets of keys.Let A be a nonce-respecting adversary which makes at most  ≤ 2  /67( − 1) 2 queries with the maximum block length  and the running time  to OGCM-1.Then there exists another adversary A  against the PRPsecurity of , making at most  = ( + 1) oracle queries and running in time at most (+()), such that, for any adversary A, The proof of Theorem 3 includes two steps.Firstly, we replace   1 and   2 with two random and independent permutations on -bit  1 and  2 , where  1 and  2 are randomly and independently drawn from K  .Let  = ( 1 ,  2 ) and let OGCM-1[] be the new construction.By the hybrid argument, it is easy to show that there exists another adversary A  against the PRP-security of , making at most  = ( + 1) oracle queries and running in time at most   = ( + ()), such that Then, our goal is to upper-bound Adv priv
Lemma 4. Let  = ( 1 ,  2 ) be two permutations randomly and independently chosen from ().Let A be a noncerespecting adversary which makes at most  ≤ 2  /67( − 1) 2 queries to OGCM-1[], generating at most  blocks.Then, for any adversary A, Proof.Our proof utilizes a contradiction argument.The main idea is as follows.If there exists a nonce-respecting adversary A against OGCM-1[] such that Adv priv OGCM-1[] (A) > /2  , then we can construct a nonce-respecting adversary B against  1 such that Adv prf  1 (B) > /2  , which derives a contradiction with Theorem 1.The details of our proof are described as follows.
Let E[] be the encryption algorithm of OGCM-1[] and $ be a random function that takes (, , ) as input and always returns a random string of length || + ||.Suppose, to the contrary, that there exists a nonce-respecting adversary / PRF-adversary B against  1 / If A makes the th query (  ,   ,   ): output  Algorithm 4: Codes of PRF-adversary B against  1 using the PRIV-adversary A.
Let  ∈ Func(, ) be a random function, where  = +1.Consider an adversary B that makes  queries to an oracle O, either  1 or , generating  =  blocks, where B uses A as a subroutine (see Algorithm 4).
which contradicts Theorem 1.Therefore, our (contradiction) hypothesis does not hold; that is, the original proposition holds where The proof of Lemma 4 is finished.
Therefore, combining ( 12) and ( 13), the result of Theorem 3 is derived.The privacy of OGCM-1 is secure up to  ≃ 2  /67( − 1) 2 adversarial queries in the nonce-respecting scenario assuming that the underlying block cipher is a secure PRP.Next, we provide the authenticity of OGCM-1.

Security and Communication Networks
For (22), we consider the forgery attempt (  ,   ,   ,   ).As A is a nonce-respecting adversary, there is at most one response (  ,   ,   ,   ) of the encryption oracle such that   =   , where  ∈ [1, 𝑞].Assuming that there exists a dummy key  ℎ , we discuss the following two cases in the single forgery attempt.
Case 1.There exist one (  ,   ,   ,   ) such that   =   for some  ∈ [1, 𝑞].According to the properties of the AXU hash function , we have Case 2. There is no (  ,   ,   ,   ) such that   =   for any  ∈ [1, 𝑞]; that is,   is new.Let  be the nonce length.We consider the following subcases in this case.
Therefore, combining ( 18) and ( 19), the result of Theorem 5 is derived.If  ≃ 2 − and  = , the authenticity of OGCM-1 is secure up to  ≃ 2  /67( − 1) 2 adversarial queries in the nonce-respecting scenario assuming that the underlying block cipher is a secure PRP.

OGCM-2: A Dual Variant of OGCM-1
In this section, we utilize the close to optimally secure PRF  2 to build another improved variant of GCM, called OGCM-2.OGCM-2 achieves close to optimal security in the nonce-respecting scenario assuming that the underlying block cipher is a secure PRP.OGCM-2 is a two-pass noncebased AEAD scheme employing the "Encryption-then-MAC" approach, where the encryption part utilizes a multi-EDMD function  2 to set up a stream-cipher encryption mode and the MAC part combines an AXU hash function and the EDMD construction to generate an authentication tag.
The overview of OGCM-2 is depicted in Figure 2. The encryption and decryption algorithms of OGCM-2 are given in Algorithms 5 and 6.
The security of OGCM-2 is derived in the following theorem.
Theorem 7 (security of OGCM-2).Let  ≥ 1.Let A be a nonce-respecting adversary which makes at most  ≤ 2  /67 encryption queries and one forgery attempt and runs in time at most  to OGCM-2.Then there exists another adversary A  against the PRP-security of , making at most  oracle queries and running in time at most ( + ()), such that, for any adversary A, The proof of Theorem 7 is similar to the proofs of Theorems 3 and 5. Therefore we omit it.
According to Theorem 7, assuming that the underlying block cipher  is a secure PRP and  ≃ 2 − and  = , the privacy and authenticity of OGCM-2 are provably secure up to  ≃ 2  /67 adversarial queries in the nonce-respecting scenario.

Discussions and Future Works
Compared with GCM, both OGCM-1 and OGCM-2 achieve a balance between the security and the efficiency.
Input: three keys ( 1 ,  2 ,  ℎ ), a nonce , an associated data , a ciphertext , and a tag  Output: Figure 2: OGCM-2: a dual variant of OGCM-1.From the perspective of security, they enjoy close to optimal security in the nonce-respecting scenario assuming that the underlying block cipher is a secure PRP.They can encrypt at most 2  plaintexts in the nonce-respecting scenario and the maximum block length of the plaintext is 2 − − 1, where  is the nonce length and  is the block size.The privacy of OGCM-1 (resp., OGCM-2) is upper-bounded by /2  and the authenticity of OGCM-1 (resp., OGCM-2) is upperbounded by /2  ++/2  +2/2  , for  ≃ 2  /67(−1) 2 (resp.,  ≃ 2  /67) adversarial queries and one forgery attempt, where  is the number of the encryption queries,  is the query complexity, and  is the bit length of the authentication tag.In other words, the privacy and authenticity of OGCM-1 ensure at most about ( − log 67 − 2 log( − 1))-bit security, while the privacy and authenticity of OGCM-2 ensure at most about ( − log 67)-bit security, where log  denotes the log (base 2) of .Let  = 128,  = 96,  = 2 − , and  = 128.AES-OGCM-1 and AES-OGCM-2 can encrypt at most 2 96 plaintexts in the nonce-respecting scenario, the maximum length of the plaintext is about 2 32 blocks (64 GBytes), and the privacy and authenticity achieve roughly 107.9565-bit or 121.9339-bit security which is better than those of AES-GCM (about 64-bit security).Alike GCM, OGCM-1 and OGCM-2 are based on polynomial AXU hash functions which may introduce some attacks, such as [36,37,42,43].
From the perspective of efficiency, they invoke two block ciphers for encrypting each plaintext block (that is to say, their rate is 1/2) and inherit most of the advantages of GCM (such as parallelizable, stream-cipher encryption, and high speed implementation).Specifically, they utilize three keys, call the underlying block cipher 2 + 2 times, and use  +  + 1 finite-field multiplications, while GCM is based on one key, calls the underlying block cipher  + 2 times, and utilizes  +  + 1 finite-field multiplications, where  (resp., ) is the block length of the plaintext (resp., associated data).Compared with GCM, the efficiency is about half of it.Therefore, OGCM-1 and OGCM-2 compromise the efficiency of the software and hardware implementation to enhance the security.
Compared with some existing BBB-secure AE schemes, OGCM-1 and OGCM-2 are block cipher-based noncerespecting AE modes that ensure close to optimal security and provide good efficiency.Details are shown in Table 2.Note that RWCTRN [47] is based on the PRF assumption.Therefore, its block size  is at least 256.
OGCM-1 and OGCM-2 utilize three keys, which increase the cost of key management.Therefore, we introduce a key deriving method which converts a key to multiple keys.Here, the hash-function key  ℎ and the block cipher keys ( 1 ,  2 ) can be derived from a secret key  by encrypting three distinct constants.Thus, we can obtain reduced single-key OGCM-1 and OGCM-2 schemes.
This paper focuses on the strong security of GCM in the nonce-respecting scenario.A natural direction for future work is how we can design an improved mode that provides strong security in the nonce-misuse and even other misuse scenarios (e.g., the releasing of unverified plaintext and decryption misuse scenarios).

Conclusions
This paper focuses on the strong security of GCM and presents two close to optimally secure variants OGCM-1 and OGCM-2.They are based on the "Encryption-then-MAC" approach, where the encryption part utilizes multiple EDM or EDMD constructions to set up a close to optimally secure key-stream generator and then the MAC part combines an AXU hash function and one EDM or EDMD construction to generate an authentication tag.OGCM-1 and OGCM-2 achieve a balance between the security and the efficiency.In terms of security, OGCM-1 guarantees at most roughly (−log 67−2 log(−1))-bit security and OGCM-2 guarantees at most roughly ( − log 67)-bit security, where  is the block size.In terms of efficiency, their rate is 1/2; that is, they invoke two block ciphers for encrypting each plaintext block.Compared with GCM [33] and CHM [30], OGCM-1 and OGCM-2 guarantee stronger security but achieve lower efficiency.Compared with GCM-SIVr [32], OGCM-1 and OGCM-2 guarantee close to optimal security and achieve higher efficiency.
GCM is a NIST recommended block cipher mode of operation and has wide applications, but it only ensures the birthday-bound security.OGCM-1 and OGCM-2 that provide close to optimal security are the extensions of GCM, which is of great significance in practice.

Input:
three keys ( 1 ,  2 ,  ℎ ), a nonce , an associated data , and a plaintext  Output: a ciphertext  and a tag  Partition

Table 2 :
Comparison of AE schemes that provide BBB security." ↷ " means  can be reduced to . "n.r." denotes nonce-respecting and "n.m." denotes nonce-misuse."PRP" stands for pseudorandom permutation, "TPRP" stands for tweakable PRP, and "PRF" stands for pseudorandom function.Let  be the block length of the plaintext and  be the block length of associated data.Let ,  ≥ 2 be two integers.Let ≃ stand for approximately equal to.For example, ≃128 means that it is approximately equal to 128.